[15399] in bugtraq
Re: CGI: Selena Sol's WebBanner ( Random Banner Generator )
daemon@ATHENA.MIT.EDU (Ron Parker)
Tue Jun 20 14:06:15 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-ID: <3.0.1.32.20000616150044.02a56938@mail.gwmicro.com>
Date: Fri, 16 Jun 2000 15:00:44 -0500
Reply-To: Ron Parker <ron@GWMICRO.COM>
From: Ron Parker <ron@GWMICRO.COM>
X-To: Johannes Westerink <jwesterink@JOHANNES2.DAXIS.NL>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <ILENKALMCAFBLHBGEOFKGEJCCAAA.jwesterink@jwesterink.daxis.n l>
At 08:55 AM 6/13/2000 +0200, Johannes Westerink wrote:
> Application Name: WebBanner (Random Banner Generator)
> Application Authors: Eric Tachibana (Selena Sol) and Gunther Birznieks
> Version: 4.0
> Last Modified: 17NOV98
> Site: http://www.extropia.com
[...]
There's code in the script that's supposed to stop this exploit. It'd
probably
be better to fix that instead, assuming it's actually broken. Did you
actually
test this exploit against a running installation, or is this advisory based
solely on static analysis?
------- snippet from earlier in the WebBanner script ----------
# If they try to go outside the directory kill the program
if ($form_data{'html_file'} =~ /\.\\?\./ ||
$form_data{'html_file'} !~ /\.htm.?$/i) {
$form_data{'html_file'} = "";
exit(0);
}
------- end snippet ---------
> &CgiDie ( "I'm sorry, but I was unable to open the requested
> HTML file in the Insert Random Banner Into Page routine. The
> value I have is $html_file. Would you please check the path and
> the permissions for the file." );
This isn't safe, and it's also in the original WebBanner script. Note that
CgiDie
outputs the error message *to the user*. Imagine what happens when some
black hat
redirects their users to your script with suitable javascript in place of
html_file
(making sure to avoid the .. or .\. sequence of characters, and to end it
with .htm.)
See http://www.cert.org/advisories/CA-2000-02.html for more details on this
common
problem. Also note that this does not appear to be the only instance of
this problem
in the WebBanner script.
--
Ron Parker
GW Micro, Inc.
Voice 219-489-3671
Fax 219-489-2608
